Merge pull request #328 from seattleflu/add-row-level-security

Adding row level security to sample and genomics tables

.gitignore

@@ -10,7 +10,7 @@
 !/Pipfile.lock
 !/pytest.ini
 !/setup.py
-!/sqitch.conf
+!/sqitch.template.conf
 !/wsgi.py
 
 # and these directories

schema/deploy/roles/reporter/revoke-select-on-receiving-consensus-genome.sql

@@ -0,0 +1,7 @@
+-- Deploy seattleflu/schema:roles/reporter/revoke-select-on-receiving-consensus-genome to pg
+
+begin;
+
+revoke select on receiving.consensus_genome from reporter;
+
+commit;

schema/deploy/roles/reporter/revoke-select-on-receiving-sequence-read-set.sql

@@ -0,0 +1,7 @@
+-- Deploy seattleflu/schema:roles/reporter/revoke-select-on-receiving-sequence-read-set to pg
+
+begin;
+
+revoke select on receiving.sequence_read_set from reporter;
+
+commit;

schema/deploy/shipping/views.sql

@@ -14,7 +14,7 @@ begin;
 -- there needs to be a lag between view development and consumers being
 -- updated, copy the view definition into v2 and make changes there.
 
-create or replace view shipping.presence_absence_result_v1 as
+create or replace view shipping.presence_absence_result_v1 with (security_invoker = true) as
 
     select sample.identifier as sample,
            target.identifier as target,
@@ -39,7 +39,7 @@ grant select
     to "incidence-modeler";
 
 
-create or replace view shipping.presence_absence_result_v2 as
+create or replace view shipping.presence_absence_result_v2 with (security_invoker = true) as
 
     select sample.identifier as sample,
            target.identifier as target,

schema/deploy/shipping/views@2023-07-27.sql

@@ -0,0 +1,67 @@
+-- Deploy seattleflu/schema:shipping/views to pg
+-- requires: shipping/schema
+-- requires: functions/array_distinct
+
+-- Hello!  All shipping views are defined here.  Rework this change with Sqitch
+-- to change a view definition or add new views.  This workflow helps keep
+-- inter-view dependencies manageable.
+
+begin;
+
+-- This view is versioned as a hedge against future changes.  Changing this
+-- view in place is fine as long as changes are backwards compatible.  Think of
+-- the version number as the major part of a semantic versioning scheme.  If
+-- there needs to be a lag between view development and consumers being
+-- updated, copy the view definition into v2 and make changes there.
+
+create or replace view shipping.presence_absence_result_v1 as
+
+    select sample.identifier as sample,
+           target.identifier as target,
+           present,
+           organism.lineage as organism
+
+    from warehouse.sample
+    join warehouse.presence_absence using (sample_id)
+    join warehouse.target using (target_id)
+    left join warehouse.organism using (organism_id)
+    where target.control = false;
+
+comment on view shipping.presence_absence_result_v1 is
+    'View of warehoused presence-absence results for modeling and viz teams';
+
+revoke all
+    on shipping.presence_absence_result_v1
+  from "incidence-modeler";
+
+grant select
+    on shipping.presence_absence_result_v1
+    to "incidence-modeler";
+
+
+create or replace view shipping.presence_absence_result_v2 as
+
+    select sample.identifier as sample,
+           target.identifier as target,
+           present,
+           organism.lineage as organism,
+           presence_absence.details as details
+
+    from warehouse.sample
+    join warehouse.presence_absence using (sample_id)
+    join warehouse.target using (target_id)
+    left join warehouse.organism using (organism_id)
+    where target.control = false;
+
+comment on view shipping.presence_absence_result_v2 is
+    'View of warehoused presence-absence results for modeling and viz teams';
+
+revoke all
+    on shipping.presence_absence_result_v2
+  from "incidence-modeler";
+
+grant select
+    on shipping.presence_absence_result_v2
+    to "incidence-modeler";
+
+commit;

schema/deploy/warehouse/consensus-genome/access-role-rls.sql

@@ -0,0 +1,17 @@
+-- Deploy seattleflu/schema:warehouse/consensus-genome/access-role-rls to pg
+
+begin;
+
+alter table warehouse.consensus_genome
+    add access_role regrole;
+
+create policy consensus_genome_rls
+    on warehouse.consensus_genome
+    for all
+    to public
+    using (access_role is null or pg_has_role(current_user, access_role, 'usage'));
+
+alter table warehouse.consensus_genome
+    enable row level security;
+
+commit;

schema/deploy/warehouse/genomic-sequence/access-role-rls.sql

@@ -0,0 +1,17 @@
+-- Deploy seattleflu/schema:warehouse/genomic-sequence/access-role-rls to pg
+
+begin;
+
+alter table warehouse.genomic_sequence
+    add access_role regrole;
+
+create policy genomic_sequence_rls
+    on warehouse.genomic_sequence
+    for all
+    to public
+    using (access_role is null or pg_has_role(current_user, access_role, 'usage'));
+
+alter table warehouse.genomic_sequence
+    enable row level security;
+
+commit;

schema/deploy/warehouse/sample/access-role-rls.sql

@@ -0,0 +1,17 @@
+-- deploy seattleflu/schema:warehouse/sample/access-role-rls to pg
+
+begin;
+
+alter table warehouse.sample
+    add access_role regrole;
+
+create policy sample_rls
+    on warehouse.sample
+    for all
+    to public
+    using (access_role is null or pg_has_role(current_user, access_role, 'usage'));
+
+alter table warehouse.sample
+    enable row level security;
+
+commit;

schema/deploy/warehouse/sequence-read-set/access-role-rls.sql

@@ -0,0 +1,17 @@
+-- Deploy seattleflu/schema:warehouse/sequence-read-set/access-role-rls to pg
+
+begin;
+
+alter table warehouse.sequence_read_set
+    add access_role regrole;
+
+create policy sequence_read_set_rls
+    on warehouse.sequence_read_set
+    for all
+    to public
+    using (access_role is null or pg_has_role(current_user, access_role, 'usage'));
+
+alter table warehouse.sequence_read_set
+    enable row level security;
+
+commit;

schema/revert/roles/reporter/revoke-select-on-receiving-consensus-genome.sql

@@ -0,0 +1,7 @@
+-- Revert seattleflu/schema:roles/reporter/revoke-select-on-receiving-consensus-genome from pg
+
+begin;
+
+grant select on receiving.consensus_genome to reporter;
+
+commit;

schema/revert/roles/reporter/revoke-select-on-receiving-sequence-read-set.sql

@@ -0,0 +1,7 @@
+-- Revert seattleflu/schema:roles/reporter/revoke-select-on-receiving-sequence-read-set from pg
+
+begin;
+
+grant select on receiving.sequence_read_set to reporter;
+
+commit;

schema/revert/shipping/views.sql

@@ -38,10 +38,30 @@ grant select
     on shipping.presence_absence_result_v1
     to "incidence-modeler";
 
+
+create or replace view shipping.presence_absence_result_v2 as
+
+    select sample.identifier as sample,
+           target.identifier as target,
+           present,
+           organism.lineage as organism,
+           presence_absence.details as details
+
+    from warehouse.sample
+    join warehouse.presence_absence using (sample_id)
+    join warehouse.target using (target_id)
+    left join warehouse.organism using (organism_id)
+    where target.control = false;
+
+comment on view shipping.presence_absence_result_v2 is
+    'View of warehoused presence-absence results for modeling and viz teams';
+
 revoke all
     on shipping.presence_absence_result_v2
   from "incidence-modeler";
 
-drop view shipping.presence_absence_result_v2;
+grant select
+    on shipping.presence_absence_result_v2
+    to "incidence-modeler";
 
 commit;

schema/revert/shipping/views@2023-07-27.sql

@@ -0,0 +1,47 @@
+-- Deploy seattleflu/schema:shipping/views to pg
+-- requires: shipping/schema
+-- requires: functions/array_distinct
+
+-- Hello!  All shipping views are defined here.  Rework this change with Sqitch
+-- to change a view definition or add new views.  This workflow helps keep
+-- inter-view dependencies manageable.
+
+begin;
+
+-- This view is versioned as a hedge against future changes.  Changing this
+-- view in place is fine as long as changes are backwards compatible.  Think of
+-- the version number as the major part of a semantic versioning scheme.  If
+-- there needs to be a lag between view development and consumers being
+-- updated, copy the view definition into v2 and make changes there.
+
+create or replace view shipping.presence_absence_result_v1 as
+
+    select sample.identifier as sample,
+           target.identifier as target,
+           present,
+           organism.lineage as organism
+
+    from warehouse.sample
+    join warehouse.presence_absence using (sample_id)
+    join warehouse.target using (target_id)
+    left join warehouse.organism using (organism_id)
+    where target.control = false;
+
+comment on view shipping.presence_absence_result_v1 is
+    'View of warehoused presence-absence results for modeling and viz teams';
+
+revoke all
+    on shipping.presence_absence_result_v1
+  from "incidence-modeler";
+
+grant select
+    on shipping.presence_absence_result_v1
+    to "incidence-modeler";
+
+revoke all
+    on shipping.presence_absence_result_v2
+  from "incidence-modeler";
+
+drop view shipping.presence_absence_result_v2;
+
+commit;

schema/revert/warehouse/consensus-genome/access-role-rls.sql

@@ -0,0 +1,14 @@
+-- Revert seattleflu/schema:warehouse/consensus-genome/access-role-rls from pg
+
+begin;
+
+alter table warehouse.consensus_genome
+    disable row level security;
+
+drop policy consensus_genome_rls
+    on warehouse.consensus_genome;
+
+alter table warehouse.consensus_genome
+    drop column access_role;
+
+commit;

schema/revert/warehouse/genomic-sequence/access-role-rls.sql

@@ -0,0 +1,14 @@
+-- Revert seattleflu/schema:warehouse/genomic-sequence/access-role-rls from pg
+
+begin;
+
+alter table warehouse.genomic_sequence
+    disable row level security;
+
+drop policy genomic_sequence_rls
+    on warehouse.genomic_sequence;
+
+alter table warehouse.genomic_sequence
+    drop column access_role;
+
+commit;

schema/revert/warehouse/sample/access-role-rls.sql

@@ -0,0 +1,14 @@
+-- Revert seattleflu/schema:warehouse/sample/access-role-rls from pg
+
+begin;
+
+alter table warehouse.sample
+    disable row level security;
+
+drop policy sample_rls
+    on warehouse.sample;
+
+alter table warehouse.sample
+    drop column access_role;
+
+commit;

schema/revert/warehouse/sequence-read-set/access-role-rls.sql

@@ -0,0 +1,14 @@
+-- Revert seattleflu/schema:warehouse/sequence-read-set/access-role-rls from pg
+
+begin;
+
+alter table warehouse.sequence_read_set
+    disable row level security;
+
+drop policy sequence_read_set_rls
+    on warehouse.sequence_read_set;
+
+alter table warehouse.sequence_read_set
+    drop column access_role;
+
+commit;

schema/sqitch.plan

@@ -243,3 +243,15 @@ functions/mint_identifiers 2022-07-15T22:13:52Z Dave Reinhart <[email protected]> #
 
 roles/identifier-minter/grants [roles/identifier-minter/grants@2022-07-25] 2022-07-28T19:05:20Z Dave Reinhart <[email protected]> # Add execute permissions on mint_identifiers function to identiifer-minter
 @2022-07-28 2022-07-28T19:20:25Z Dave Reinhart <[email protected]> # Schema as of 28 July 2022
+
+warehouse/sample/access-role-rls 2023-07-27T19:39:54Z Dave Reinhart <[email protected]> # Add column to store role name; Implement row-level security on sample table
+warehouse/genomic-sequence/access-role-rls 2023-07-27T21:01:44Z Dave Reinhart <[email protected]> # Add column to store role name; Implement row-level security on genomic_sequence table
+warehouse/consensus-genome/access-role-rls 2023-07-27T21:13:41Z Dave Reinhart <[email protected]> # Add column to store role name; Implement row-level security on consensus_genome table
+warehouse/sequence-read-set/access-role-rls 2023-07-27T21:32:39Z Dave Reinhart <[email protected]> # Add column to store role name; Implement row-level security on sequence_read_set table
+@2023-07-27 2023-07-27T21:44:39Z Dave Reinhart <[email protected]> # Schema as of 27 July 2023
+shipping/views [shipping/views@2023-07-27] 2023-07-27T22:31:51Z Dave Reinhart <[email protected]> # Add security invoker to shipping views for row-level security
+@2023-07-28 2023-07-27T22:41:52Z Dave Reinhart <[email protected]> # Schema as of 28 July 2023
+
+roles/reporter/revoke-select-on-receiving-consensus-genome 2023-08-18T23:41:26Z Dave Reinhart <[email protected]> # Revoke select permissions on receiving.consensus_genome from reporter.
+roles/reporter/revoke-select-on-receiving-sequence-read-set 2023-08-21T17:02:31Z Dave Reinhart <[email protected]> # Revoke select permissions on receiving.sequence_read_set from reporter.
+@2023-08-21 2023-08-21T17:58:25Z Dave Reinhart <[email protected]> # Schema as of 21 August 2023

schema/verify/roles/reporter/revoke-select-on-receiving-consensus-genome.sql

@@ -0,0 +1,7 @@
+-- Verify seattleflu/schema:roles/reporter/revoke-select-on-receiving-consensus-genome on pg
+
+begin;
+
+select 1/(not pg_catalog.has_table_privilege('reporter', 'receiving.consensus_genome', 'select'))::int;
+
+rollback;

schema/verify/roles/reporter/revoke-select-on-receiving-sequence-read-set.sql

@@ -0,0 +1,7 @@
+-- Verify seattleflu/schema:roles/reporter/revoke-select-on-receiving-sequence-read-set on pg
+
+begin;
+
+select 1/(not pg_catalog.has_table_privilege('reporter', 'receiving.sequence_read_set', 'select'))::int;
+
+rollback;

schema/verify/shipping/views@2023-07-27.sql

@@ -0,0 +1,15 @@
+-- Verify seattleflu/schema:shipping/views on pg
+
+begin;
+
+select 1/(count(*) = 1)::int
+  from information_schema.views
+ where array[table_schema, table_name]::text[]
+     = pg_catalog.parse_ident('shipping.presence_absence_result_v1');
+
+select 1/(count(*) = 1)::int
+  from information_schema.views
+ where array[table_schema, table_name]::text[]
+     = pg_catalog.parse_ident('shipping.presence_absence_result_v2');
+
+rollback;

schema/verify/warehouse/consensus-genome/access-role-rls.sql

@@ -0,0 +1,5 @@
+-- Verify seattleflu/schema:warehouse/consensus-genome/access-role-rls on pg
+
+begin;
+
+rollback;

schema/verify/warehouse/genomic-sequence/access-role-rls.sql

@@ -0,0 +1,5 @@
+-- Verify seattleflu/schema:warehouse/genomic-sequence/access-role-rls on pg
+
+begin;
+
+rollback;